Warning: this fake Windows 11 upgrade is filled with malware

man sleeping underneath his laptop
(Image credit: Lipik Stock Media / Shutterstock)

Security researchers have found a fake Windows 11 upgrade website that promises to offer a free Windows 11 install for PCs that don’t meet the minimum specifications, but actually installs data-stealing malware.

Windows 11 has some… interesting… requirements to run, and its most famous demand is for Trusted Platform Module (TPM) version 2.0 support. This has led to perfectly capable, and powerful, PCs and laptops being unable to upgrade to Windows 11, as they did not meet the minimum specifications.

Understandably, this annoyed people with relatively new hardware that couldn’t upgrade to the latest version of Windows, and many looked at ways of circumnavigating the TPM 2.0 requirement to install Windows 11 on their unsupported devices.

It’s these people that this new threat is targeting, as Bleeping Computer reports.

Looking legitimate

While the website’s address (URL) should be a red flag (we won't mention it here), as it’s clearly not a Microsoft website, the actual website itself does look like it’s an official Microsoft website, using logos and artwork that makes it difficult to tell it apart from a real Microsoft page.

However, as security researchers CloudSEK discovered by clicking the ‘Download now’ button, the website downloads an ISO file that contains malware.

This malware, called ‘Inno Stealer’, uses a part of the Windows installer to create temporary files on an infected PC. These create processes that run and place four additional files on your PC, some of which contain scripts that disable various security features, including in the Windows registry. They also tweak the built-in Windows Defender anti-virus, and remove other security products from Emisoft and ESET.

Other files then run commands at the highest system privileges, while yet another file is created in the C:\Users\\AppData\Roaming\Windows11InstallationAssistant folder, and it’s this file that contains the data-stealing code, named Windows11InstallationAssistant.scr. This then takes information from web browsers, as well as cryptocurrency wallets, stored passwords and files from the PC itself. This stolen data is then sent to the malicious users who created the malware.

Pretty nasty stuff.


Analysis: Be careful what you wish for

Hacker

(Image credit: Pixabay)

The scale of the infection here, and what it’s able to steal from you, is very scary, but the good news is that it’s easy to avoid.

No matter how desperate you are to install Windows 11, you should only download ISO files from sources you are absolutely certain are legitimate. While the makers of this malware have put in a lot of work to make the website look legitimate (like many so-called ‘phishing’ attacks), there are some tell-tale signs, such as the aforementioned URL, which highlights that this is not a genuine Microsoft website.

If your PC is eligible for a Windows 11 upgrade, you’ll be alerted via Windows Update, a tool that’s built into Windows operating systems. This is the safest way to ensure you are downloading and installing a genuine copy of Windows 11.

If your PC isn’t eligible, due to not meeting the TPM 2.0 requirements, then there are some safer ways to install Windows 11 without TPM anyway. But we don’t really recommend any of them, especially as Microsoft is making it harder to run Windows 11 on unsupported systems, which could mean you miss out on important updates, security fixes and features in the future.

Above all, however, you should never attempt to download and install a Windows 11 ISO file from any website that isn’t run by Microsoft itself.

Matt Hanson
Managing Editor, Core Tech

Matt is TechRadar's Managing Editor for Core Tech, looking after computing and mobile technology. Having written for a number of publications such as PC Plus, PC Format, T3 and Linux Format, there's no aspect of technology that Matt isn't passionate about, especially computing and PC gaming. He’s personally reviewed and used most of the laptops in our best laptops guide - and since joining TechRadar in 2014, he's reviewed over 250 laptops and computing accessories personally.

Read more
Windows 11 forced onto old hardware
Microsoft quietly removed its instructions for installing Windows 11 on an unsupported PC – is this something to do with the 24H2 update?
A laptop with the Windows 11 desktop on screen, glowing, while on a work desk
Are you unable to get security updates for Windows 11 24H2? Here’s the likely reason why, and the fix to get your PC safe and secure again
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Young woman using laptop, looking annoyed
Microsoft embarrasses itself with Windows 10 pop-up that hogs the desktop urging an upgrade to Windows 11 – then promptly crashes
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Fake Reddit sites found pushing Lumma Stealer malware
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock